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DETAILED ACTION 

The Request for Continued Examination has been accepted and entered. 

Response to Arguments 

Applicant's arguments, filed 1 1/20/2008 with respect to the rejection(s) of claim(s) 1 
under Blake US 2004/0128543 have been fully considered and are persuasive. Therefore, the 
rejection has been withdrawn. However, upon further consideration, a new ground(s) of 
rejection is made in view of Becker US 2004/0139128. 



Claim Rejections - 35 USC §101 

The claimed invention is directed to non-statutory subject matter. The method claim, Claim 1 
must be tied to a machine or a computer readable medium for it to be statutory. 



Claim Rejections - 35 USC § 103 

The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in 
section 102 of this title, if the differences between the subject matter sought to be patented and the prior art are 
such that the subject matter as a whole would have been obvious at the time the invention was made to a person 
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having ordinary skill in the art to which said subject matter pertains. Patentability shall not be negatived by the 
manner in which the invention was made. 

Claim*** rejected under 35 U.S.C. 103(a) as being unpatentable over 

Claims 1-4, 7, 9, 10, 15, 18-20, 23, 24 is rejected under 35 U.S.C. 103(a) as being 
unpatentable over Blake US 2004/0128543 in view of Becker US 2004/0139128. 

As per claim 1, 23, Blake teaches deploying a honey pot (Fig 4, system for morphing a 
honeypot on a dynamic and configurable basis, administrator configures honeypot 
[001 1], [0036]. Blake teaches detecting a breach of the honey pot (suspicious requests, 
acts to compromise honeypot, client system probing for vulnerability, attacks) [0038], 
[0070], [0075], [0084]. Blake teaches capturing the state of the honeypot including 
creating a copy of the data associated with a compromised honeypot (activity logs) 
[0040]. Blake teaches automatically redeploying the honey pot [0037], [0076]. 

Becker teaches reinitializing to an initial state via an image [0151], [0163]. 

It would have been obvious to one of ordinary skill in the art to use the image of Becker 

with the redeployment of Blake because it would restore the honeypot after a 

compromise. 



As per claim 2 Blake teaches analyzing the breach (analysis operations, analyzing 
requests) [0037], [0075]. 
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As per claim 3 Blake teaches automatically analyzing the breach (automatic analysis), 
Figure 4, [0037], [0075]. 

As per claim 4 Blake teaches the breach is automatically detected (determination is made 
as to whether a probe has been detected) [0070], [0075]. 

As per claim 7, Blake teaches configuring the honey pot (configuration phase (step 402)) 
[0037]. 

As per claim 9 Blake teaches the honey pot is a physical machine (implemented in 
hardware) [0026]. 

As per claim 10 The method of claim 1, wherein the honey pot is a virtual machine 
(virtual directories, emulated)[0038]. 

As per claim 15 Blake teaches the detecting is based on an elapsed time (track suspicious 
client requests over time) [0070]. 

As per claim 18 Blake teaches saving state information associated with the honey pot 
(activity logs) [0040]. 

As per claim 19 Blake teaches saving state information associated with the honey pot and 
wherein saving and redeploying occur in parallel (all activity, actions taken by emulated 
services, or honeypot as whole, is logged) [0040]. 

As per claim 20, Blake teaches analyzing the breach and redeploying occur in parallel 
(analysis and reconfiguration operations performed at the same time) [0037]. 

As per claim 24, Blake teaches deploying a honey pot (Fig 4, system for morphing a 
honeypot on a dynamic and configurable basis, administrator configures honeypot 
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[001 1], [0036]. Blake teaches detecting a breach of the honey pot (suspicious requests, 
acts to compromise honeypot, client system probing for vulnerability) [0038], [0070], 
[0075]. Blake teaches automatically redeploying the honey pot (automatic 
reconfiguration operations, reconfigured to present information reflecting a different 
vulnerability) [0037], [0076]. Blake teaches the honeypot is implemented using a 
processor and memory coupled to the processor (CPU, disk units) [0026]. 

Claims 6 is rejected under 35 U.S.C. 103(a) as being unpatentable over Blake US 
2004/0128543 in view of Becker US 2004/0139128 in view of Fagone US 2004/0078592. 

As per claim 6 Blake does not teach shutting down the honey pot. 

Fagone teaches shutting down the honeypot (disconnecting from network) [0017]. 

It would have been obvious to one of ordinary skill in the art to use the shut down method 
of Fagone in case a honeypot becomes a danger to the network [0017]. 

Claim 8, is rejected under 35 U.S.C. 103(a) as being unpatentable over Blake US 
2004/0128543 in view of Becker US 2004/0139128 in view of Schlereth "Analysis of a 
Compromised Honeypot on a Cable Modem". 

As per claim 8 Blake does not teach copying a honey pot image. 
Infocus teaches creating and copying a honeypot image (creating an image of a 
compromised system for investigation, Pages 21-24). 
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It would have been obvious to one of ordinary skill in the art to use a honeypot image 
because it limits the chance of destroying evidence on the compromised system (page 
24). 



Claims 13, and 14 are rejected under 35 U.S.C. 103(a) as being unpatentable over 
Blake US 2004/0128543 in view Becker US 2004/0139128 in view of Lewis US 
2003/0110396. 



As per claim 13 Blake fails to teach detecting is based on the number of outgoing 
connections detected. Lewis teaches detecting is based on the number of outgoing 
connections detected (large number of IP requests) [0079]. 

It would have been obvious to one of ordinary skill in the art to use the detection of 
Lewis in the system of Blake to detect Denial of Service attack attempts. 
As per claim 14 Blake fails to teach detecting is based on the number of incoming 
connections detected. Lewis teaches detecting a breach based on the incoming 
connections detected (abnormally large connection attempts to target) [0062]. 
It would have been obvious to one of ordinary skill in the art to use the detection of 
Lewis in the system of Blake to detect Denial of Service attack attempts. 
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Claim 17, is rejected under 35 U.S.C. 103(a) as being unpatentable over Blake US 
2004/0128543 in view Becker US 2004/0139128 in view of INFOCUSrThe Honeynet 
Project 

As per claims 17 Blake does not specify an operating system. 

Infocus teaches the honey pot runs a Linux operating system(linux, page 3). It would 
have been obvious to one in the art to use the multiple OS of Infocus with the honeypot 
of Blake because it provides support to create a honeypot for a wide range of users. 

Claims 21, and 22, are rejected under 35 U.S.C. 103(a) as being unpatentable over 
Blake US 2004/0128543 in view Becker US 2004/0139128 in view of Turk US 
2005/0108415 

As per claims 21, and 22, Blake does not teach mapping an IP address to a honeypot. 

Turk teaches receiving an incoming connection associated with an IP address( pinging a 
given IP address)[0071]. Turk teaches mapping the IP address to the honey pot (honeypot 
responds to unrouted IP address requests) [0071]. Turk teaches releasing the IP address 
mapping and mapping another IP address to the honey pot (honeypot accepts any IP 
address request that is not stored in the routing table, thus it will remap to a different IP if 
a different unrouted destination IP request arrives) [0071]. 

It would have been obvious to one of ordinary skill in the art to use the IP mapping of 
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Turk with the system of Blake because it tricks a malicious user into thinking they have 
successfully compromised their target destination IP. 



Conclusion 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to CHRISTOPHER J. BROWN whose telephone number is 
(571)272-3833. The examiner can normally be reached on 8:30-6:00. 
If attempts to reach the examiner by telephone arc unsuccessful, the examiner's 
supervisor, Kambiz Zand can be reached on (571)272-381 1 . The fax phone number for 
the organization where this application or proceeding is assigned is 571-273-8300. 
Information regarding the status of an application may be obtained from the Patent 
Application Information Retrieval (PAIR) system. Status information for published 
applications may be obtained from either Private PAIR or Public PAIR. Status 
information for unpublished applications is available through Private PAIR only. For 
more information about the PAIR system, see http://pair-direct.uspto.gov. Should you 
have questions on access to the Private PAIR system, contact the Electronic Business 
Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO 
Customer Service Representative or access to the automated information system, call 
800-786-9199 (IN USA OR CANADA) or 571-272-1000. 



/Christopher J Brown/ 

Primary Examiner, Art Unit 2434 
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